Microsoft continues to urge users of its Exchange email servers to patch and bring them up to date. A known, and it's worth emphasizing patched, vulnerability (CVE-2020-0688) has been under active exploitation by nation-state intelligence services since April. As ZDNet asks, why would any intelligence service worthy of its trenchcoats (we paraphrase and mix many metaphors) burn a zero-day when they could just waltz in through a known hole?
Trustwave says it's found a new malware family, "GoldenSpy," embedded in tax software companies doing business in China have been required by their Chinese bank to install. It does the taxes; it also opens a system-level backdoor.
A Malwarebytes report describes how Magecart operators have improved their game. The paycard skimming malware is now being hidden in EXIF metadata of image files. There are several criminal gangs known to use Magecart. This particular upgrade appears to be the work of Magecart Group 9.
The extortionists who compromised Indiabulls have made good on their threat to begin releasing data if the company didn't pay the ransom. The Hindustan Times reports that the first tranche of company information has been leaked.
Where do vulnerabilities come from? Mostly, according to Snyk's study of open-source software security, from indirect dependencies.
Twitter may have banned DDoSecrets after the BlueLeaks information dump, but DDoSecrets rejects what they call the social platform's unexpectedly "Nixonian" move, and the group tells WIRED they'll be looking for other venues in which to post whatever they come up with in the future.